AIM IPS Configuration Sequence

3. Initialize the AIM IPS. Run the setup command to initialize the AIM IPS.

4. Create the service account.

Caution You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a new password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.

5. Perform the other initial tasks, such as adding users, trusted hosts, and so forth.

Hardware Interfaces

Figure 19-1 shows the router and the AIM IPS interfaces used for internal communication. You can configure the router interfaces through the Cisco IOS CLI and the AIM IPS interfaces through the IPS CLI, IDM, IME, or CSM.

Figure 19-1 AIM IPS and Router Interfaces

1

Router interface to the AIM IPS (IDS-Sensor 0/1)Uses the Cisco OS CLI to configure the IP address of the router interface that connects to the AIM IPS. This router IP address is used as the default router IP address when you configure Cisco IPS on the AIM IPS.

2

The AIM IPS interface to router (GigabitEthernet0/1)Configure the command and control interface using the IPS CLI, IDM, IME, or CSM.

3

Router interface to external link.

Note You need two IP addresses to configure the AIM IPS. The AIM IPS has a command and control IP address that you configure through the Cisco IPS CLI. You also assign an IP address to the router for its internal interface (IDS-Sensor 0/x) to the AIM IPS. This IP address belongs to the router itself and is used for routing traffic to the command and control interface of the AIM IPS. It is used as the default router IP address when you set up the AIM IPS command and control interface.

Setting Up Interfaces on the AIM IPS and the Router

This section describes how to set up interfaces on the AIM IPS and the router, and contains the following topics:

AIM IPS Interface Configuration Sequence

Follow this sequence to set up interfaces on the AIM IPS and the router:

1. Configure the IPS command and control interface on the router, and the AIM IPS IP address, mask, and gateway using one of the following methods:

•An unnumbered IP address on the IDS-Sensor interface

Note Using an unnumbered IP address on the IDS-Sensor interface is the preferred method for configuring interfaces on the module and router.

•A routable IP address

•Default module IP address with NAT

•User-configured IP address with NAT

2. Enable the monitoring interface and specify whether it is promiscuous or inline, assign the ACL to the interface, specify how you want the router to handle traffic if the module fails, and create a monitoring ACL (optional).

ARC and NAT

If you use NAT to establish management access to the AIM IPS, ARC on the AIM IPS does not know the external IP address of the AIM IPS. To make sure that management access to the AIM IPS is not interrupted by devices that the AIM IPS is managing, you must state the NAT address of the AIM IPS every time you add a blocking device.

Configuring Monitoring on the Router Interface

Note You must add the AIM IPS internal interface to the virtual sensor (vs0) so that traffic can be monitored.

To configure the router interface to be monitored, follow these steps:

Step 1 Log in to the router.

Step 2 Enter privileged EXEC mode on the router.

router> enable

Step 3 (Optional) Configure a monitoring access list on the router.

router(config)# access-list 101 permit tcp any eq www any

You can set up a standard access list and apply it to filter what type of traffic you want to inspect. A matched ACL causes traffic not to be inspected for that ACL. This example bypasses inspection of HTTP traffic only. Refer to your Cisco IOS Command Reference for more information on the options for the access-list command.

Step 4 Enable monitoring on the interface in either inline or promiscuous mode and associate the access list.

Note The fail-close option means that if the AIM IPS fails, then the router does not let traffic pass. The fail-open option means if the AIM IPS fails, the router lets traffic pass, but it is not inspected by the IPS.

Establishing Sessions

Because the AIM IPS does not have an external console port, console access to the AIM IPS is enabled when you issue the service-module ids-sensor slot/port session command on the router, or when you initiate a Telnet connection into the router with the slot number corresponding to the AIM IPS port number. The lack of an external console port means that the initial bootup configuration is possible only through the router.

When you issue the service-module ids-sensor slot/port session command, you create a console session with the AIM IPS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to the Cisco IOS CLI.

The session command starts a reverse Telnet connection using the IP address of the IDS-Sensor interface. The IDS-Sensor interface is an interface between the AIM IPS and the router. You must assign an IP address to the IDS-Sensor interface before invoking the session command. Assigning a routable IP address can make the IDS-Sensor interface itself vulnerable to attacks, because the AIM IPS is visible on the network through that routable IP address, meaning you can communicate with the AIM IPS outside the router. To counter this vulnerability, assign an unnumbered IP address to the IDS-Sensor interface. Then the AIM IPS IP address is only used locally between the router and the AIM IPS, and is isolated for the purposes of sessioning in to the AIM IPS.

Note Before you install your application software or reimage the module, opening a session brings up the bootloader. After you install the software, opening a session brings up the application.

Caution If you session to the module and perform large console transfers, character traffic may be lost unless the host console interface speed is set to 115200/bps or higher. Use the
show running config command to check that the speed is set to 115200/bps.

Opening and Closing a Session

Note You must initialize the AIM IPS (run the setup command) from the router. After networking is configured, SSH and Telnet are available.

Use the service-module ids-sensorslot/portsession command to establish a session from the AIM IPS to the module. Press Ctrl-Shift-6, then x, to return a session prompt to a router prompt, that is, to go from the AIM IPS prompt back to the router prompt. Press Enter on a blank line to go back to the session prompt, which is also the router prompt. You should only suspend a session to the router if you will be returning to the session after executing router commands. If you do not plan on returning to the AIM IPS session, you should close the session rather than suspend it.

When you close a session, you are logged completely out of the AIM IPS CLI and a new session connection requires a username and password to log in. A suspended session leaves you logged in to the CLI. When you connect with the session command, you can go back to the same CLI without having to provide your username and password.

Note Telnet clients vary. In some cases, you may have to press Ctrl-6 + x. The control character is specified as ^^, Ctrl-^, or ASCII value 30 (hex 1E).

Caution If you use the
disconnect command to leave the session, the session remains running. The open session can be exploited by someone wanting to take advantage of a connection that is still in place.

To open and close sessions to the AIM IPS, follow these steps:

Step 1 Log in to the router.

Step 2 Check the status of the AIM IPS to make sure it is running.

router# service-module ids-sensor 0/1 status

Service Module is Cisco IDS-Sensor0/1

Service Module supports session via TTY line 322

Service Module is in Steady state

Getting status from the Service Module, please wait..

Cisco Systems Intrusion Prevention System Network Module

Software version: 6.2(1)E3

Model: AIM IPS

Memory: 443508 KB

Mgmt IP addr: 10.89.148.196

Mgmt web ports: 443

Mgmt TLS enabled: true

router#

Step 3 Open a session from the router to the AIM IPS.

router# service-module ids-sensor 0/1 session

Trying 10.89.148.196, 2322 ... Open

Step 4 Exit, or suspend and close the module session:

•sensor# exit

Note If you are in submodes of the IPS CLI, you must exit all submodes. Enter exit until the sensor login prompt appears.

Caution Failing to close a session properly makes it possible for others to exploit a connection that is still in place. Remember to enter
exit at the
router# prompt to close the Cisco IOS session completely.

•To suspend and close the session to the AIM IPS, press Ctrl-Shift and press 6. Release all keys, and then press x.

Note When you are finished with a session, you need to return to the router to establish the association between a session (the IPS application) and the router interfaces you want to monitor.

Displaying the Status of the AIM IPS

Use the service-module ids-sensorslot/portstatus command in privileged EXEC mode to display the status and statistics of the AIM IPS.

To display the status of the AIM IPS, follow these steps:

Step 1 Log in to the router.

Step 2 Enter privileged EXEC mode on the router.

router> enable

Step 3 Display the status of the AIM IPS.

router# service-module ids-sensor 0/1status

Service Module is Cisco IDS-Sensor0/1

Service Module supports session via TTY line 322

Service Module is in Steady state

Service Module is in fail close

Cisco Systems Intrusion Prevention System Network Module

Software version: 7.0(4)E4

Model: AIM IPS

Memory: 443508 KB

Mgmt IP addr: 10.89.148.196

Mgmt web ports: 443

Mgmt TLS enabled: true

router#

Enabling and Disabling Heartbeat Reset

Use the service-module ids-sensorslot/portheartbeat reset {enable | disable} command in privileged EXEC mode to reset the heartbeat of AIM IPS.

When AIM IPS is booted in failsafe mode or is undergoing an upgrade, you can use the service-module ids heartbeat-reset command to prevent a reboot during the process. If you leave the heartbeat reset enabled during an upgrade, you may lose the AIM IPS heartbeat.

When the AIM IPS heartbeat is lost, the router applies a fail-open or fail-close configuration option to AIM IPS and stops sending traffic to AIM IPS, and sets AIM IPS to error state. The router performs a hardware reset on AIM IPS and monitors AIM IPS until the heartbeat is reestablished.

Note Disabling the heartbeat reset prevents the router from resetting the module during system image installation if the process takes too long.

Rebooting, Resetting, and Shutting Down the AIM IPS

AIM IPS Status Monitoring

The AIM IPS uses RBCP to monitor its status. RBCP is monitored by the main application on the AIM IPS, not by SensorApp. If the main application on the AIM IPS fails, the RBCP heartbeat responses do not return from the AIM IPS. When the router determines that the AIM IPS has failed, a reload command is issued through RBCP to reboot the Linux kernel on the AIM IPS. In the period during the attempt to bring the AIM IPS back up, the router works in the mode determined by the failover operation configured.

In some cases, SensorApp may stop processing, but the main application on the AIM IPS continues to process RBCP packets. In this case, packets are processed according to the bypass settings set for the AIM IPS by the IPS CLI, IDM, or IME.

There are two situations in which the AIM IPS shuts down:

•A hardware or software error forces it to fail. The router can detect this through the loss of the RBCP heartbeat.

interface ids-sensor

To configure the IPS sensor interface and enter config-if mode, use the interface ids-sensor command in config mode. To specify how the router handles traffic inspection during a module failure, use the service-module command in config-if mode. The default is fail open.

interface ids-sensorslot/port

ip {address | unnumbered}

service-module{fail-close | fail-open}

Syntax Description

slot

Number of the router chassis slot for the AIM IPS.

/port

Port number of the AIM IPS.

Note The slash mark is required between the slot argument and the unit argument.

ids-sensor

The IPS interface for the AIM IPS.

ip address

Sets the IP address of an interface.

ip unnumbered

Enables IP address processing without an explicit IP address.

service-module fail-close

The AIM IPS drops all the traffic.

service-module fail-open

The AIM IPS passes all the traffic through, but does not perform traffic inspection (default)

Caution Although there are 57 subcommands associated with the
ip command, the only two supported for the modules are
ip address and ip
unnumbered. Enabling any of the other subcommands can result in unpredictable behavior.

Defaults

The default setting is fail-open.

Command Modes

Config

Config-if

Command History

Release

Modification

12.4(20)T

This command was introduced.

Usage Guidelines

The interface ids-sensorslot/port command lets you enter config-if mode and configure the IPS sensor slot and port. On the AIM IPS, the slot value is 0 and the port number value is specified by identifying the physical location where the module is installed on the router.

Examples

The following example demonstrates how to use the interface ids-sensor command to enter config-if mode on an AIM IPS in slot 0, port1:

router(config)# interface ids-sensor 0/1

router(config-if)#

The following example demonstrates how to use the interface ids-sensor command with the ip unnumbered subcommand to specify the router command and control interface:

router(config)# interface ids-sensor 0/1

router(config-if)# ip unnumbered router_command_and_control_interface

router(config-if)#

The following example demonstrates how to use the service-module fail-open command to configure the AIM IPS to pass all traffic through the module when the hardware fails, but not to perform traffic inspection:

router(config)# interface ids-sensor 0/1

router(config-if)# service-module fail-open

router(config-if)#

Related Commands

Command

Description

interface interface_name

Lets you specify which interface should be monitored.

interface interface_name

To enter config-if mode, configure the interface for monitoring in promiscuous or inline mode, and apply a standard or extended ACL to inline monitoring, use the interface interface_namecommand in config mode.

Related Commands

Command

Description

interface ids-sensor

Configures the IPS interface.

service-module ids-sensor

Caution When you reload the router, the AIM IPS also reloads. To ensure that there is no loss of data on the AIM IPS, make sure you shut down the module using the
shutdown command before you use the
reload command to reboot the router.

To prevent the Cisco IOS software from rebooting the AIM IPS when the heartbeat is lost, to reboot, reset, enable console access to, shut down, see the statistics, and monitor the status of a module, use the service-module ids-sensor command in privileged EXEC mode.

Syntax Description

Note The slash mark is required between the slot argument and the unit argument.

heartbeat-reset

Enables or disables the heartbeat reset. The default is enabled.

Note Disabling the heartbeat reset prevents the router from resetting the AIM IPS during system image installation if the process takes too long.

reload

Performs a graceful halt and reboot of the operating system on the AIM IPS.

reset

Resets the hardware on the AIM IPS. This command is usually used to recover from a shutdown.

session

Enables console access to the AIM IPS from the router.

shutdown

Shuts down the IPS application running on the AIM IPS.

statistics

Provides AIM IPS statistics.

status

Provides information about the status of the IPS software.

Defaults

The default is heartbeat-reset enabled.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.4(15)XY

This command was introduced.

12.4(20)T

This command was introduced.

Usage Guidelines

When the AIM IPS is booted in failsafe mode or is undergoing an upgrade, you can use the service-module ids heartbeat-reset command to prevent a reboot during the process. If you leave the heartbeat reset enabled during an upgrade, you may lose the AIM IPS heartbeat.

When the AIM IPS heartbeat is lost, the router applies a fail-open or fail-close configuration option to the AIM IPS and stops sending traffic to the AIM IPS, and sets the AIM IPS to error state. The router performs a hardware reset on the AIM IPS and monitors the AIM IPS until the heartbeat is reestablished.

If a confirmation prompt is displayed, press Enter to confirm the action or n to cancel.

Examples

The following example demonstrates how to disable or enable the reset action when the heartbeat is lost on an AIM IPS in slot 0, port1: